| From: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
|---|---|
| To: | Jacob Champion <jchampion(at)timescale(dot)com> |
| Cc: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [PATCH] Log details for client certificate failures |
| Date: | 2022-07-07 09:50:08 |
| Message-ID: | 61aa4b6c-9de2-d61b-821a-a34ab1e515e2@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 05.07.22 18:34, Jacob Champion wrote:
> On Fri, Jul 1, 2022 at 1:51 PM Jacob Champion <jchampion(at)timescale(dot)com> wrote:
>> Sorry for the misunderstanding! v3 adds the Issuer to the logs as well.
>
> Resending v3; I messed up the certificate diff with my gitconfig.
This patch looks pretty good to me. Some minor details:
I looked into how you decode the serial number. I have found some code
elsewhere that passed the result of X509_get_serialNumber() directly to
ASN1_INTEGER_set(). But I guess a serial number of maximum length 20
octets wouldn't fit into a 32-bit long. (There is
ASN1_INTEGER_set_int64(), but that requires OpenSSL 1.1.0.) Does that
match your understanding?
For the detail string, I think we could do something like:
DETAIL: Failed certificate data (unverified): subject '%s', serial
number %s, issuer '%s'
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2022-07-07 10:09:32 | Re: [RFC] building postgres with meson -v9 |
| Previous Message | Aleksander Alekseev | 2022-07-07 09:42:52 | Re: POC: Lock updated tuples in tuple_update() and tuple_delete() |